Advisory
A note with CVSS 5.4 for component EPM-DSM-GEN was released by SAP on 08.12.2020. The correction/advisory 2971180 was described with "[CVE-2020-26828] Formula Injection in SAP Disclosure Management" and affects the system type SAP Disclosure Management.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is command injection within SAP Disclosure Management.
Risk specification
An authenticated attacker could upload files to disclosure management containing scripts. The execution of such scripts could modify or read data available in a spreadsheet.Solution
It is no longer possible to upload files containing a script